github
/
fail2ban
mirror of https://github.com/fail2ban/fail2ban
1
0
Fork 0
Code Issues Releases Wiki Activity

ENH: added multiline filter for sshd filter

Browse Source
pull/457/head
Daniel Black 11 years ago
parent 84f915c1f7
commit 227f27ce6b
4 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File

3
ChangeLog
Unescape View File

@ -36,6 +36,9 @@ code-review and minor additions from Yaroslav Halchenko.
into logging messages in case of error or at DEBUG loglevel.
Daniel Black and TESTOVIK
* Multiline filter for sendmail-spam. Close gh-418
Daniel Black and John Thoe
* Multiline regex for Disconnecting: Too many authentication failures for
root [preauth]\nConnection closed by 6X.XXX.XXX.XXX [preauth]
- Enhancements
Steven Hiscocks

1
THANKS
Unescape View File

@ -33,6 +33,7 @@ Georgiy Mernov
Guillaume Delvit
Hanno 'Rince' Wagner
Iain Lea
John Thoe
Jonathan Kamens
Jonathan Lanning
Jonathan Underwood

1
config/filter.d/sshd.conf
Unescape View File

@ -23,6 +23,7 @@ failregex = ^%(__prefix_line)s(?:error: PAM: )?[aA]uthentication (?:failure|erro
^%(__prefix_line)sUser .+ from <HOST> not allowed because a group is listed in DenyGroups\s*$
^%(__prefix_line)sUser .+ from <HOST> not allowed because none of user's groups are listed in AllowGroups\s*$
^(?P<__prefix>%(__prefix_line)s)User .+ not allowed because account is locked<SKIPLINES>(?P=__prefix)(?:error: )?Received disconnect from <HOST>: 11: Bye Bye \[preauth\]$
^(?P<__prefix>%(__prefix_line)s)Disconnecting: Too many authentication failures for .+? \[preauth\]<SKIPLINES>(?P=__prefix)(?:error: )?Connection closed by <HOST> \[preauth\]$
ignoreregex =

7
fail2ban/tests/files/logs/sshd
Unescape View File

@ -117,3 +117,10 @@ Sep 29 17:15:02 spaceman sshd[12946]: Failed password for user from 127.0.0.1 po
# failJSON: { "time": "2004-11-11T08:04:51", "match": true , "host": "127.0.0.1", "desc": "Injecting on username ssh 'from 10.10.1.1'@localhost" }
Nov 11 08:04:51 redbamboo sshd[2737]: Failed password for invalid user from 10.10.1.1 from 127.0.0.1 port 58946 ssh2
# failJSON: { "match": false }
Nov 23 21:50:19 sshd[8148]: Disconnecting: Too many authentication failures for root [preauth]
# failJSON: { "time": "2004-11-23T21:50:37", "match": true , "host": "61.0.0.1", "desc": "Multiline match for preauth failures" }
Nov 23 21:50:37 sshd[8148]: Connection closed by 61.0.0.1 [preauth]

Write Preview
Loading…
Cancel
Save